CVE-2026-31809

SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

Severity Score

6.4

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab (	), newline (
), or carriage return () characters inside the javascript: string bypasses this prefix check. Browsers strip these characters per the WHATWG URL specification before parsing the URL scheme, so the JavaScript still executes. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint, creating a reflected XSS. This is a second bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in 3.5.10.

SiYuan es un sistema de gestión de conocimiento personal. Antes de la versión 3.5.10, el saneador de SVG de SiYuan (SanitizeSVG) verifica los atributos href en busca del prefijo javascript: utilizando strings.HasPrefix(). Sin embargo, la inserción de caracteres de tabulación ASCII ( ), nueva línea (
) o retorno de carro ( ) dentro de la cadena javascript: elude esta verificación de prefijo. Los navegadores eliminan estos caracteres según la especificación de URL de WHATWG antes de analizar el esquema de URL, por lo que el JavaScript aún se ejecuta. Esto permite a un atacante inyectar JavaScript ejecutable en el endpoint no autenticado /API/icon/getDynamicIcon, creando un XSS reflejado. Este es un segundo bypass de la corrección para CVE-2026-29183 (corregido en la v3.5.9). Esta vulnerabilidad se corrige en la versión 3.5.10.

*Credits: N/A

CVSS Scores

GitHubv4 6.4

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

Passive

System

Vulnerable | Subsequent

Confidentiality

None

High

Integrity

None

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2026-03-09 CVE Reserved
2026-03-10 CVE Published
2026-03-11 CVE Updated
2026-04-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (1)

URL	Tag	Source
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Siyuan-note Search vendor "Siyuan-note"		Siyuan Search vendor "Siyuan-note" for product "Siyuan"				< 3.5.10 Search vendor "Siyuan-note" for product "Siyuan" and version " < 3.5.10"		en		Affected